Researchers Demonstrate $10,000 Apple Pay Vulnerability Exploiting iPhone Express Transit Mode

Cybersecurity experts show how a locked iPhone can be drained of $10,000 using an unpatched Visa and Apple Pay vulnerability involving Express Transit mode.

By: AXL Media

Published: Apr 16, 2026, 10:20 AM EDT

Source: PiunikaWeb

The Mechanics of a Seamless Theft A recently surfaced video featuring YouTuber Marques Brownlee and Henry Reich of Veritasium has brought renewed attention to a persistent security flaw in mobile payments. During the demonstration, two cybersecurity professors from the University of Surrey, Ioana Boureanu and Tom Chothia, successfully executed a $10,000 transaction on a completely locked iPhone. The attack requires no user interaction, passcode, or biometric authentication. By utilizing off-the-shelf NFC hardware and a "man-in-the-middle" configuration, the researchers were able to trick the device into authorizing a high-value retail purchase under the guise of a routine transit fare.

Exploiting the Express Transit Loophole The core of the vulnerability lies in Apple’s "Express Transit" mode, a feature designed for convenience that allows users to tap through subway or bus gates without waking or unlocking their phones. The researchers figured out how to replicate the specific signal sent by transit terminals. Once the iPhone identifies the signal as a transit request, it automatically prepares to pay without the usual FaceID or TouchID verification. The attackers then intercept the data transmission, flipping specific "bits" in the code to deceive the phone about the transaction's value and the payment terminal about the user's verification status.

A Five-Year Unpatched Impasse Perhaps the most concerning aspect of the report is that this vulnerability is not new. The University of Surrey team originally alerted both Apple and Visa to the flaw in 2021. Despite five years of awareness, a comprehensive software fix has not been implemented. Apple has publicly stated that the issue resides within Visa’s transaction processing system, while Visa maintains that such an attack is unlikely to occur outside of a controlled laboratory environment. This ongoing dispute between the tech giant and the credit issuer has left the loophole open for specific iPhone and Visa card combinations.

Transformative Analysis: The Security Cost of User Convenience This development highlights the growing tension between user experience and digital security. Features like Express Transit are engineered to remove "friction" from daily life, yet every removed layer of friction represents a potential entry point for sophisticated actors. While Visa emphasizes its zero-liability polic...